Skip to content

security: pin runtime and build deps to exact versions#910

Open
ThomasPluck wants to merge 1 commit intomainfrom
security/pin-dependencies
Open

security: pin runtime and build deps to exact versions#910
ThomasPluck wants to merge 1 commit intomainfrom
security/pin-dependencies

Conversation

@ThomasPluck
Copy link
Copy Markdown

@ThomasPluck ThomasPluck commented Mar 24, 2026

Summary

  • Hard-pin all runtime dependencies and build-system requires to exact versions to mitigate dependency confusion / supply chain attacks
  • Dev dependencies left with floor pins (not a runtime attack surface)

Recommendation

This is a security patch — recommend cutting a new release after merge so downstream consumers pick up the pinned deps.

Test plan

  • uv lock resolves cleanly
  • uv sync --dev installs successfully
  • Existing tests pass

🤖 Generated with Claude Code

@ThomasPluck @claude
pin runtime and build dependencies to exact versions
d370b33 
Mitigate dependency confusion and supply chain attacks by hard-pinning
all runtime dependencies and build-system requires to exact versions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 24, 2026

Label error. Requires at least 1 of: breaking, bug, github_actions, documentation, dependencies, enhancement, feature, maintenance, security, typing. Found:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sebastian-goeldi sebastian-goeldi Awaiting requested review from sebastian-goeldi sebastian-goeldi is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ThomasPluck